[....] Starting enhanced syslogd: rsyslogd[ 12.900725] audit: type=1400 audit(1516152765.388:5): avc: denied { syslog } for pid=3503 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.262180] audit: type=1400 audit(1516152772.749:6): avc: denied { map } for pid=3643 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. [ 26.486626] audit: type=1400 audit(1516152778.974:7): avc: denied { map } for pid=3658 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/01/17 01:32:59 parsed 1 programs 2018/01/17 01:32:59 executed programs: 0 [ 26.677808] audit: type=1400 audit(1516152779.165:8): avc: denied { map } for pid=3658 comm="syz-execprog" path="/root/syzkaller-shm107761021" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.858702] audit: type=1400 audit(1516152779.345:9): avc: denied { sys_admin } for pid=3663 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 26.887544] audit: type=1400 audit(1516152779.375:10): avc: denied { sys_chroot } for pid=3673 comm="syz-executor4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/01/17 01:33:04 executed programs: 1410 [ 36.201417] ================================================================== [ 36.208844] BUG: KASAN: use-after-free in pppol2tp_connect+0x1a97/0x1dd0 [ 36.215676] Read of size 8 at addr ffff8801d6326928 by task syz-executor7/12931 [ 36.223105] [ 36.224726] CPU: 1 PID: 12931 Comm: syz-executor7 Not tainted 4.15.0-rc8+ #174 [ 36.232071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.241413] Call Trace: [ 36.243994] dump_stack+0x194/0x257 [ 36.247610] ? arch_local_irq_restore+0x53/0x53 [ 36.252270] ? show_regs_print_info+0x18/0x18 [ 36.256761] ? retint_kernel+0x10/0x10 [ 36.260632] ? pppol2tp_connect+0x1a97/0x1dd0 [ 36.265123] print_address_description+0x73/0x250 [ 36.269950] ? pppol2tp_connect+0x1a97/0x1dd0 [ 36.274433] kasan_report+0x25b/0x340 [ 36.278230] __asan_report_load8_noabort+0x14/0x20 [ 36.283146] pppol2tp_connect+0x1a97/0x1dd0 [ 36.287468] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 36.292642] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 36.297982] ? selinux_socket_connect+0x311/0x730 [ 36.302800] ? lock_downgrade+0x980/0x980 [ 36.306924] ? selinux_socket_setsockopt+0x80/0x80 [ 36.311829] ? lock_release+0xa40/0xa40 [ 36.315776] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.321634] ? __check_object_size+0x25d/0x4f0 [ 36.326194] ? __might_sleep+0x95/0x190 [ 36.330152] ? security_socket_connect+0x89/0xb0 [ 36.334890] SYSC_connect+0x213/0x4a0 [ 36.338668] ? SYSC_bind+0x410/0x410 [ 36.342364] ? get_unused_fd_flags+0x121/0x190 [ 36.346933] ? trace_hardirqs_off+0xd/0x10 [ 36.351147] ? exit_to_usermode_loop+0x198/0x310 [ 36.355890] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.361401] ? lock_downgrade+0x980/0x980 [ 36.365535] SyS_connect+0x24/0x30 [ 36.369055] ? SyS_accept+0x30/0x30 [ 36.372657] do_fast_syscall_32+0x3ee/0xf9d [ 36.376950] ? do_raw_spin_trylock+0x190/0x190 [ 36.381510] ? do_int80_syscall_32+0x9d0/0x9d0 [ 36.386074] ? syscall_return_slowpath+0x2ad/0x550 [ 36.390974] ? prepare_exit_to_usermode+0x340/0x340 [ 36.395967] ? sysret32_from_system_call+0x5/0x3b [ 36.400786] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.405614] entry_SYSENTER_compat+0x54/0x63 [ 36.409991] RIP: 0023:0xf7f12c79 [ 36.413329] RSP: 002b:00000000f7f0e08c EFLAGS: 00000296 ORIG_RAX: 000000000000016a [ 36.421019] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020e71000 [ 36.428266] RDX: 0000000000000032 RSI: 0000000000000000 RDI: 0000000000000000 [ 36.435506] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 36.442748] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.449996] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.457265] [ 36.458867] Allocated by task 12911: [ 36.462560] save_stack+0x43/0xd0 [ 36.465982] kasan_kmalloc+0xad/0xe0 [ 36.469685] kasan_slab_alloc+0x12/0x20 [ 36.473638] kmem_cache_alloc+0x12e/0x760 [ 36.477764] sk_prot_alloc+0x65/0x2a0 [ 36.481539] sk_alloc+0x105/0x1410 [ 36.485067] inet6_create+0x44d/0x10f0 [ 36.488930] __sock_create+0x4d4/0x850 [ 36.492788] SyS_socket+0xeb/0x1d0 [ 36.496297] do_fast_syscall_32+0x3ee/0xf9d [ 36.500587] entry_SYSENTER_compat+0x54/0x63 [ 36.504959] [ 36.506559] Freed by task 12931: [ 36.509898] save_stack+0x43/0xd0 [ 36.513319] kasan_slab_free+0x71/0xc0 [ 36.517176] kmem_cache_free+0x83/0x2a0 [ 36.521124] __sk_destruct+0x622/0x910 [ 36.524988] sk_destruct+0x47/0x80 [ 36.528498] __sk_free+0x57/0x230 [ 36.531924] sk_free+0x2a/0x40 [ 36.535089] l2tp_session_free+0x21c/0x2b0 [ 36.539293] pppol2tp_session_destruct+0xd4/0x110 [ 36.544106] __sk_destruct+0xfd/0x910 [ 36.547878] sk_destruct+0x47/0x80 [ 36.551385] __sk_free+0x57/0x230 [ 36.554810] sk_free+0x2a/0x40 [ 36.557974] pppol2tp_put_sk+0x49/0x60 [ 36.561831] rcu_process_callbacks+0xd6c/0x17f0 [ 36.566473] __do_softirq+0x2d7/0xb85 [ 36.570242] [ 36.571848] The buggy address belongs to the object at ffff8801d6326700 [ 36.571848] which belongs to the cache UDPv6 of size 1664 [ 36.584052] The buggy address is located 552 bytes inside of [ 36.584052] 1664-byte region [ffff8801d6326700, ffff8801d6326d80) [ 36.595985] The buggy address belongs to the page: [ 36.600891] page:ffffea000758c980 count:1 mapcount:0 mapping:ffff8801d6326000 index:0x0 [ 36.609005] flags: 0x2fffc0000000100(slab) [ 36.613219] raw: 02fffc0000000100 ffff8801d6326000 0000000000000000 0000000100000002 [ 36.621070] raw: ffffea00074f08a0 ffffea000755b7a0 ffff8801d318dcc0 0000000000000000 [ 36.628916] page dumped because: kasan: bad access detected [ 36.634595] [ 36.636193] Memory state around the buggy address: [ 36.641089] ffff8801d6326800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.648414] ffff8801d6326880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.655740] >ffff8801d6326900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.663068] ^ [ 36.667708] ffff8801d6326980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.675042] ffff8801d6326a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.682373] ================================================================== [ 36.689703] Disabling lock debugging due to kernel taint [ 36.695290] Kernel panic - not syncing: panic_on_warn set ... [ 36.695290] 2018/01/17 01:33:09 executed programs: 3101 [ 36.702648] CPU: 1 PID: 12931 Comm: syz-executor7 Tainted: G B 4.15.0-rc8+ #174 [ 36.711287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.720626] Call Trace: [ 36.723203] dump_stack+0x194/0x257 [ 36.726814] ? arch_local_irq_restore+0x53/0x53 [ 36.731454] ? kasan_end_report+0x32/0x50 [ 36.735573] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.740297] ? vsnprintf+0x1ed/0x1900 [ 36.744067] ? pppol2tp_connect+0x1a20/0x1dd0 [ 36.748532] panic+0x1e4/0x41c [ 36.751695] ? refcount_error_report+0x214/0x214 [ 36.756419] ? add_taint+0x1c/0x50 [ 36.759925] ? add_taint+0x1c/0x50 [ 36.763435] ? pppol2tp_connect+0x1a97/0x1dd0 [ 36.767897] kasan_end_report+0x50/0x50 [ 36.771839] kasan_report+0x144/0x340 [ 36.775609] __asan_report_load8_noabort+0x14/0x20 [ 36.780508] pppol2tp_connect+0x1a97/0x1dd0 [ 36.784804] ? pppol2tp_recv_payload_hook+0x1b0/0x1b0 [ 36.789965] ? selinux_netlbl_socket_connect+0x76/0x1b0 [ 36.795299] ? selinux_socket_connect+0x311/0x730 [ 36.800112] ? lock_downgrade+0x980/0x980 [ 36.804230] ? selinux_socket_setsockopt+0x80/0x80 [ 36.809127] ? lock_release+0xa40/0xa40 [ 36.813073] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 36.818925] ? __check_object_size+0x25d/0x4f0 [ 36.823478] ? __might_sleep+0x95/0x190 [ 36.827425] ? security_socket_connect+0x89/0xb0 [ 36.832152] SYSC_connect+0x213/0x4a0 [ 36.835920] ? SYSC_bind+0x410/0x410 [ 36.839602] ? get_unused_fd_flags+0x121/0x190 [ 36.844168] ? trace_hardirqs_off+0xd/0x10 [ 36.848372] ? exit_to_usermode_loop+0x198/0x310 [ 36.853098] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 36.858601] ? lock_downgrade+0x980/0x980 [ 36.862722] SyS_connect+0x24/0x30 [ 36.866231] ? SyS_accept+0x30/0x30 [ 36.869826] do_fast_syscall_32+0x3ee/0xf9d [ 36.874118] ? do_raw_spin_trylock+0x190/0x190 [ 36.878669] ? do_int80_syscall_32+0x9d0/0x9d0 [ 36.883222] ? syscall_return_slowpath+0x2ad/0x550 [ 36.888122] ? prepare_exit_to_usermode+0x340/0x340 [ 36.893110] ? sysret32_from_system_call+0x5/0x3b [ 36.897922] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.902737] entry_SYSENTER_compat+0x54/0x63 [ 36.907113] RIP: 0023:0xf7f12c79 [ 36.910447] RSP: 002b:00000000f7f0e08c EFLAGS: 00000296 ORIG_RAX: 000000000000016a [ 36.918122] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020e71000 [ 36.925363] RDX: 0000000000000032 RSI: 0000000000000000 RDI: 0000000000000000 [ 36.932621] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 36.939860] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.947098] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.954770] Dumping ftrace buffer: [ 36.958283] (ftrace buffer empty) [ 36.961961] Kernel Offset: disabled [ 36.965556] Rebooting in 86400 seconds..